PHP write variables to file

[gaptrast]

Hi,

I have a form, and want to transfer all info typed into another php document as variables!

Here is the form:

HTML Code:

<form action=".index.php" method="get" class="form">

<input type="text" name="title" />

<input type="text" name="brief" />

<input type="submit" />

</form>

But this php code just writes "0" to the file:

PHP Code:

$myFile = "../phpprofiles/pahhh.php";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = '
<?php
$title = "'+ $_GET["title"] +'";

$description = "'+$_GET["info"]+'";

$image = "'+$_GET["screenshot"]+'";

$name = "'+str_replace( " ", "", $_GET["title"] )+'";

$howtostop = "'+ $_GET["stop"] +'";

$tags="'+ $_GET["tags"] +'","'+ $_GET["tags2"] +'","'+ $_GET["tags3"] +'";


$producer="'+ $_GET["producer"] +'";
?>
';
fwrite($fh, $stringData);
fclose($fh);

Is there a way to solve this?

[cybrax]

First steps are never easy, so always a good idea to go through all the tutorials. Though must admit there is a distinct lack of intermediate scripting help about for those trying to put it all together. PHP.net is a good place to find basic snippets.

Here's some quick code for inspiration, handy for many uses including blogging and adding comments to a page. Everthing gets stored in an external file called 'data.txt'.

PHP Code:

<?php
$title     = stripslashes($_POST["title"]);
$brief     = stripslashes($_POST["brief"]);


$output = '<h2>'.$title.'</h2><p>'.$brief.'</p>';

if ($title != '' && $brief !='') {
$datFile = 'data.txt';//write new data to file
                                $fh = fopen($datFile, 'w') or die("can't open file"); // 'w' = overwite existing file, 'a' = add to file
                                fwrite($fh,$output);
                                fclose($fh);// 
}

$content= @file_get_contents("data.txt");
?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body><form action="novice1.php" method="post">
  <table width="330" border="0" cellpadding="5" cellspacing="5">
    <tr>
      <td bgcolor="#FF6600"><h2>Data In File: </h2></td>
    </tr>
    <tr>
      <td bgcolor="#FFCC00"> <?php echo $content; ?></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
    </tr>
    <tr>
      <td bgcolor="#33CCFF"><label>
        <input name="title" type="text" id="title" value="title" size="30" />
      </label></td>
    </tr>
    <tr>
      <td bgcolor="#0066FF"><label>
        <textarea name="brief" cols="20" id="brief">text description</textarea>
      </label></td>
    </tr>
    <tr>
      <td><label>
        <input type="submit" name="Submit" value="Submit" />
      </label></td>
    </tr>
  </table>
</form>
</body>
</html>

[descalzo]

PHP Code:


$stringData = '
<?php
$title = "'

+ 

$_GET["title"] 

+

'";

$description = "'

+

$_GET["info"]

+

'";

$image = "'

+

$_GET["screenshot"]

+

'";

$name = "'

+

str_replace( " ", "", $_GET["title"] )

+

'";

$howtostop = "'

+ 

$_GET["stop"] 

+

'";

$tags="'

+

 $_GET["tags"] 

+

'","'

+ 

$_GET["tags2"] 

+

'","'

+

 $_GET["tags3"] 

+

'";


$producer="'

+ 

$_GET["producer"] 

+

'";
?>
'    ;

In PHP '+' is just for addition. So your code turns all the strings into numbers (all 0) and adds them.

You want '.' to concatenate strings.

[misson]

Another option is to use heredoc syntax for the file content. Note that, as written, you've got quite a serious code injection problem. It can be tricky to sanitize the input properly, which is why generating PHP containing user input is a bad idea. One alternative is to generate an INI file, which you can later load with parse_ini_file.

PHP Code:

<?php

$myFile = "../iniprofiles/pahhh.ini"; 
$fh = fopen($myFile, 'w'); 
if (! $fh) {
    /* don't use "die" if outputting HTML */
    ...
} else {
    /* Sanitize input */
    if (get_magic_quotes_gpc()) {
        foreach ($_REQUEST as $key => $val) {
            $_REQUEST[$key] = stripslashes($val);
        }
    }
    /* 'strip_tags' may or may not be appropriate, depending on where the data 
     * will end up. For example, some HTML be allowed in the description.
     */
    $data = str_replace("\n", ' ', array_map('strip_tags', $_REQUEST));
    $data['title'] = str_replace( " ", "", $data["title"]);
    # 'array_filter' will remove empty values
    $data['tags'] = implode(',', array_filter(array_intersect_key(
                                                    array('tags'=>1, 'tags2'=>1, 'tags3'=>1),
                                                    $data)));
    $stringData =<<<EOF
title={$data["title"]}
description={$data["info"]}
image={$data["screenshot"]}
name={$data["title"]}
howtostop={$data["stop"]}
tags={$data["tags"]}
producer={$data["producer"]}
EOF;

    fwrite($fh, $stringData); 
    fclose($fh);
}

If for some reason you insist on generating a PHP script, look into applying addslashes if magic quotes are off, but it's still dangerous to mix host and embedded languages when generating output.